kojee-mcp 0.5.3 → 0.5.4

package/dist/control-token-TYDAL477.js

@@ -0,0 +1,35 @@
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
+// src/tandem/control-token.ts
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+function controlTokenPath(kojeeDir = path.join(os.homedir(), ".kojee")) {
+  return path.join(kojeeDir, "control-token");
+}
+function issueControlToken(filePath = controlTokenPath()) {
+  const token = crypto.randomBytes(32).toString("hex");
+  const dir = path.dirname(filePath);
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  secureDir(dir);
+  fs.writeFileSync(filePath, token + "\n", { mode: 384 });
+  secureFile(filePath);
+  return token;
+}
+function loadControlToken(filePath = controlTokenPath()) {
+  try {
+    const raw = fs.readFileSync(filePath, "utf8").trim();
+    return raw.length > 0 ? raw : null;
+  } catch {
+    return null;
+  }
+}
+export {
+  controlTokenPath,
+  issueControlToken,
+  loadControlToken
+};

package/dist/{doctor-TSHOMT5X.js → doctor-TXWMMSRC.js}

@@ -8,7 +8,7 @@ import {
 import {
   buildMonitorSpawn,
   buildReplyRecipe
-} from "./chunk-C6GZ2L2W.js";
+} from "./chunk-X672ZN7V.js";
 import {
   monitorHeartbeatPath,
   statusLogPath
@@ -220,7 +220,7 @@ function formatDoctorReport(report) {
 async function runDoctor() {
   const { readRecordedRuntime } = await import("./runtime-record-WO4IECM6.js");
   if (readRecordedRuntime() === "codex") {
-    const { collectCodexDoctorReport, formatCodexDoctorReport } = await import("./doctor-codex-BMI5JOO6.js");
+    const { collectCodexDoctorReport, formatCodexDoctorReport } = await import("./doctor-codex-3A7KYOVX.js");
     const report2 = collectCodexDoctorReport();
     console.error(formatCodexDoctorReport(report2));
     return report2.verdict === "broken" ? 1 : 0;

package/dist/{doctor-codex-BMI5JOO6.js → doctor-codex-3A7KYOVX.js}

@@ -1,15 +1,15 @@
 import {
   defaultCodexConfigPath,
   defaultCodexHooksPath
-} from "./chunk-ZW4SW7LJ.js";
+} from "./chunk-64EOLZNI.js";
 import "./chunk-SQL56SEB.js";
 import {
   CODEX_LISTEN_CAP_MS
-} from "./chunk-C6GZ2L2W.js";
+} from "./chunk-X672ZN7V.js";
 import "./chunk-BLEGIR35.js";
 import {
   resolveWebhookConfig
-} from "./chunk-F7L25L2J.js";
+} from "./chunk-OSKHA5DS.js";
 
 // src/doctor-codex.ts
 import fs from "fs";
@@ -84,6 +84,13 @@ function collectCodexDoctorReport(deps = {}) {
       ok: true,
       detail: `enabled \u2014 ${resolution.config.redactedSummary}`
     });
+    if (resolution.warning) {
+      checks.push({
+        name: "webhook signature config",
+        ok: "warn",
+        detail: `${resolution.warning} \u2014 ${WIZARD_RERUN} with valid signature flags`
+      });
+    }
   } else if (resolution.error) {
     checks.push({
       name: "webhook sink",

package/dist/{hook-server-QF5JVUHV.js → hook-server-NDJSV22J.js}

@@ -1,4 +1,13 @@
+import {
+  executeSend,
+  httpStatusForEnvelope,
+  parseSendRequest,
+  sendFailure
+} from "./chunk-HIZ4NDWN.js";
+import "./chunk-LDZXU3DW.js";
+
 // src/tandem/hook-server.ts
+import crypto from "crypto";
 import { createServer } from "http";
 async function startHookServer(opts) {
   const server = createServer((req, res) => {
@@ -38,8 +47,84 @@ async function handleRequest(req, res, opts) {
     }
     return json(res, 400, { error: "unknown type", detail: "type must be 'stop' or 'user-prompt-submit'" });
   }
+  if (req.method === "POST" && url.pathname === "/send") {
+    return handleSend(req, res, opts);
+  }
   return json(res, 404, { error: "not_found", detail: `${req.method} ${url.pathname}` });
 }
+var MAX_SEND_BODY_BYTES = 256 * 1024;
+async function handleSend(req, res, opts) {
+  if (!opts.send) {
+    return respondEnvelope(
+      res,
+      sendFailure(
+        "send_unavailable",
+        "this daemon started without a send surface (no gateway/control token wired)"
+      )
+    );
+  }
+  if (!bearerMatches(req.headers.authorization, opts.send.authToken)) {
+    return respondEnvelope(
+      res,
+      sendFailure(
+        "unauthorized",
+        "missing or invalid bearer \u2014 read the control token from the file named by the discovery file's controlTokenPath and send it as `Authorization: Bearer <token>`"
+      )
+    );
+  }
+  let raw;
+  try {
+    raw = await readBody(req, MAX_SEND_BODY_BYTES);
+  } catch (err) {
+    return respondEnvelope(
+      res,
+      sendFailure("bad_request", err.message)
+    );
+  }
+  let input;
+  try {
+    input = JSON.parse(raw);
+  } catch {
+    return respondEnvelope(
+      res,
+      sendFailure("bad_request", "request body must be valid JSON")
+    );
+  }
+  const parsed = parseSendRequest(input);
+  if (!parsed.ok) {
+    return respondEnvelope(res, parsed);
+  }
+  const envelope = await executeSend(opts.send.gateway, parsed.request);
+  respondEnvelope(res, envelope);
+}
+function respondEnvelope(res, envelope) {
+  json(res, httpStatusForEnvelope(envelope), envelope);
+}
+function bearerMatches(header, expected) {
+  if (!header || !header.startsWith("Bearer ")) return false;
+  const presented = header.slice("Bearer ".length).trim();
+  if (presented.length === 0) return false;
+  const a = crypto.createHash("sha256").update(presented).digest();
+  const b = crypto.createHash("sha256").update(expected).digest();
+  return crypto.timingSafeEqual(a, b);
+}
+function readBody(req, maxBytes) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let total = 0;
+    req.on("data", (chunk) => {
+      total += chunk.length;
+      if (total > maxBytes) {
+        reject(new Error(`request body exceeds ${maxBytes} bytes`));
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
 function respondWithEvents(res, opts) {
   const entries = opts.queue.takeForHook();
   const events = entries.map((entry) => opts.adapter.formatTandemEvent(entry.event));

package/dist/index.js

@@ -1,9 +1,12 @@
 import {
   startProxy
-} from "./chunk-YEC7IHIG.js";
+} from "./chunk-62KH6VNQ.js";
+import "./chunk-YVUXQ4Z2.js";
 import "./chunk-BJMASMKX.js";
-import "./chunk-C6GZ2L2W.js";
-import "./chunk-WBMX4CHB.js";
+import "./chunk-X672ZN7V.js";
+import "./chunk-36L3GCU3.js";
+import "./chunk-2MIISF2W.js";
+import "./chunk-LDZXU3DW.js";
 import "./chunk-BLEGIR35.js";
 export {
   startProxy

package/dist/send-cli-7QJ36YY7.js

@@ -0,0 +1,72 @@
+import {
+  loadPairedConfig
+} from "./chunk-YH27B6SW.js";
+import {
+  GatewayClient,
+  loadKeystore
+} from "./chunk-36L3GCU3.js";
+import "./chunk-2MIISF2W.js";
+import {
+  executeSend,
+  parseSendRequest,
+  sendFailure
+} from "./chunk-HIZ4NDWN.js";
+import "./chunk-LDZXU3DW.js";
+import "./chunk-BLEGIR35.js";
+
+// src/tandem/send-cli.ts
+import os from "os";
+import path from "path";
+async function createPairedGateway(kojeeDir) {
+  const configPath = path.join(kojeeDir, "config.json");
+  const paired = loadPairedConfig(configPath);
+  if (!paired) {
+    return sendFailure(
+      "not_paired",
+      `no paired config at ${configPath} \u2014 run \`kojee-mcp pair <code> --url <broker>\` first`
+    );
+  }
+  const brokerUrl = paired.broker_url.replace(/\/+$/, "");
+  const keystorePath = path.join(kojeeDir, "keypair.json");
+  const keystore = await loadKeystore(keystorePath, brokerUrl).catch(() => null);
+  if (!keystore) {
+    return sendFailure(
+      "not_enrolled",
+      `no DPoP keystore for ${brokerUrl} at ${keystorePath} \u2014 start the proxy once (or re-run \`kojee-mcp pair\`) to enroll a keypair`
+    );
+  }
+  const sessionId = GatewayClient.deriveSessionId(paired.token);
+  return {
+    ok: true,
+    gateway: new GatewayClient(
+      brokerUrl,
+      paired.token,
+      keystore.privateKey,
+      keystore.kid,
+      sessionId
+    )
+  };
+}
+async function runSendCli(args, deps = {}) {
+  const parsed = parseSendRequest({
+    tandem_id: args.tandemId,
+    body: args.body,
+    ...args.replyTo !== void 0 ? { reply_to: args.replyTo } : {},
+    ...args.kind !== void 0 ? { kind: args.kind } : {}
+  });
+  if (!parsed.ok) {
+    return { exitCode: 1, envelope: parsed };
+  }
+  const kojeeDir = args.kojeeDir ?? path.join(os.homedir(), ".kojee");
+  const createGateway = deps.createGateway ?? createPairedGateway;
+  const resolution = await createGateway(kojeeDir);
+  if (!resolution.ok) {
+    return { exitCode: 1, envelope: resolution };
+  }
+  const envelope = await executeSend(resolution.gateway, parsed.request);
+  return { exitCode: envelope.ok ? 0 : 1, envelope };
+}
+export {
+  createPairedGateway,
+  runSendCli
+};

package/dist/{stop-hook-SEPWWETV.js → stop-hook-GO363SMD.js}

@@ -7,7 +7,7 @@ import {
 } from "./chunk-BJMASMKX.js";
 import {
   buildMonitorNudge
-} from "./chunk-C6GZ2L2W.js";
+} from "./chunk-X672ZN7V.js";
 import {
   monitorHeartbeatPath,
   nudgeSentinelPath

package/dist/{tail-stream-BYKO4DW6.js → tail-stream-U436QL2X.js}

@@ -1,6 +1,7 @@
 import {
   createAdaptiveWatchdog
-} from "./chunk-WBMX4CHB.js";
+} from "./chunk-YVUXQ4Z2.js";
+import "./chunk-2MIISF2W.js";
 import {
   STATUS_LINE_PREFIX,
   monitorHeartbeatPath,

package/dist/webhook-config-UKUSI2FE.js

@@ -0,0 +1,20 @@
+import {
+  WEBHOOK_DEFAULT_MAX_RETRIES,
+  WEBHOOK_DEFAULT_SIGNATURE_HEADER,
+  WEBHOOK_DEFAULT_SIGNATURE_PREFIX,
+  WEBHOOK_DEFAULT_TIMEOUT_MS,
+  WEBHOOK_SIGNATURE_FORMATS,
+  emissionRejectionReason,
+  resolveSignatureEmission,
+  resolveWebhookConfig
+} from "./chunk-OSKHA5DS.js";
+export {
+  WEBHOOK_DEFAULT_MAX_RETRIES,
+  WEBHOOK_DEFAULT_SIGNATURE_HEADER,
+  WEBHOOK_DEFAULT_SIGNATURE_PREFIX,
+  WEBHOOK_DEFAULT_TIMEOUT_MS,
+  WEBHOOK_SIGNATURE_FORMATS,
+  emissionRejectionReason,
+  resolveSignatureEmission,
+  resolveWebhookConfig
+};

package/dist/{webhook-sink-7OYZBWXA.js → webhook-sink-GCLL2S6S.js}

@@ -1,3 +1,8 @@
+import {
+  WEBHOOK_DEFAULT_SIGNATURE_HEADER,
+  WEBHOOK_DEFAULT_SIGNATURE_PREFIX
+} from "./chunk-OSKHA5DS.js";
+
 // src/tandem/webhook-sink.ts
 import crypto from "crypto";
 import { ulid } from "ulidx";
@@ -26,6 +31,8 @@ function createWebhookSink(config, options = {}) {
   const maxQueue = options.maxQueue ?? DEFAULT_MAX_QUEUE;
   const backoffMs = options.backoffMs ?? defaultBackoffMs;
   const log = options.log ?? ((line) => console.error(`[webhook] ${line}`));
+  const signatureHeader = config.signatureHeader ?? WEBHOOK_DEFAULT_SIGNATURE_HEADER;
+  const signaturePrefix = config.signaturePrefix ?? WEBHOOK_DEFAULT_SIGNATURE_PREFIX;
   const queue = [];
   let inFlight = false;
   let stopped = false;
@@ -51,7 +58,7 @@ function createWebhookSink(config, options = {}) {
   }
   function prepare(event) {
     const body = JSON.stringify(event);
-    const signature = computeWebhookSignature(config.secret, body);
+    const signature = signaturePrefix + computeWebhookSignature(config.secret, body);
     const deliveryId = event.id || ulid();
     return { event, body, signature, deliveryId };
   }
@@ -63,8 +70,10 @@ function createWebhookSink(config, options = {}) {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          // hex SHA-256 HMAC of the RAW body bytes — the receiver re-verifies.
-          "X-Kojee-Signature": item.signature,
+          // (prefix +) hex SHA-256 HMAC of the RAW body bytes — the receiver
+          // re-verifies. Header name defaults to X-Kojee-Signature; the
+          // GitHub-convention preset emits X-Hub-Signature-256 / sha256=.
+          [signatureHeader]: item.signature,
           "X-Kojee-Delivery": item.deliveryId
         },
         body: item.body,

package/dist/{wizard-7KHD5JT4.js → wizard-Z5JA3YPV.js}

@@ -1,31 +1,32 @@
+import {
+  clearRuntimeRecord,
+  readRecordedRuntime,
+  recordRuntime
+} from "./chunk-EW72ZNQL.js";
 import {
   buildCodexMcpServerTable,
   buildCodexStopHookBlock,
   removeCodexConfig,
   writeCodexConfig
-} from "./chunk-ZW4SW7LJ.js";
+} from "./chunk-64EOLZNI.js";
+import {
+  kojeeHomeDir
+} from "./chunk-SQL56SEB.js";
 import {
   WIZARD_RUNTIMES,
   isWizardRuntime
 } from "./chunk-LVL25VLO.js";
-import {
-  clearRuntimeRecord,
-  readRecordedRuntime,
-  recordRuntime
-} from "./chunk-EW72ZNQL.js";
-import {
-  kojeeHomeDir
-} from "./chunk-SQL56SEB.js";
 import {
   CODEX_LISTEN_CAP_MS,
   buildWebhookReceiverNote
-} from "./chunk-C6GZ2L2W.js";
+} from "./chunk-X672ZN7V.js";
 import {
   secureFile
 } from "./chunk-BLEGIR35.js";
 import {
+  resolveSignatureEmission,
   resolveWebhookConfig
-} from "./chunk-F7L25L2J.js";
+} from "./chunk-OSKHA5DS.js";
 
 // src/wizard/wizard.ts
 import crypto from "crypto";
@@ -57,28 +58,55 @@ function resolveWizardWebhook(opts) {
   const url = (opts.webhookUrl ?? env["KOJEE_WEBHOOK_URL"] ?? "").trim();
   let secret = (opts.webhookSecret ?? env["KOJEE_WEBHOOK_SECRET"] ?? "").trim();
   if (url && !secret) secret = generateWebhookSecret();
+  const sigFormat = (opts.webhookSignatureFormat ?? env["KOJEE_WEBHOOK_SIGNATURE_FORMAT"] ?? "").trim();
+  const sigHeader = (opts.webhookSignatureHeader ?? env["KOJEE_WEBHOOK_SIGNATURE_HEADER"] ?? "").trim();
+  const sigPrefix = opts.webhookSignaturePrefix ?? env["KOJEE_WEBHOOK_SIGNATURE_PREFIX"];
+  const signatureEnv = [];
+  if (sigFormat) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_FORMAT", sigFormat]);
+  if (sigHeader) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_HEADER", sigHeader]);
+  if (sigPrefix !== void 0) signatureEnv.push(["KOJEE_WEBHOOK_SIGNATURE_PREFIX", sigPrefix]);
+  const emission = resolveSignatureEmission(Object.fromEntries(signatureEnv));
   const resolution = resolveWebhookConfig({
     KOJEE_WEBHOOK_URL: url,
     KOJEE_WEBHOOK_SECRET: secret,
     ...env["KOJEE_WEBHOOK_TIMEOUT_MS"] !== void 0 ? { KOJEE_WEBHOOK_TIMEOUT_MS: env["KOJEE_WEBHOOK_TIMEOUT_MS"] } : {},
-    ...env["KOJEE_WEBHOOK_MAX_RETRIES"] !== void 0 ? { KOJEE_WEBHOOK_MAX_RETRIES: env["KOJEE_WEBHOOK_MAX_RETRIES"] } : {}
+    ...env["KOJEE_WEBHOOK_MAX_RETRIES"] !== void 0 ? { KOJEE_WEBHOOK_MAX_RETRIES: env["KOJEE_WEBHOOK_MAX_RETRIES"] } : {},
+    ...Object.fromEntries(signatureEnv)
   });
+  const warning = resolution.warning ?? (emission.warnings.length > 0 ? emission.warnings.join("; ") : void 0);
   if (resolution.error) {
-    return { url, secret, redactedSummary: "", error: resolution.error };
+    return {
+      url,
+      secret,
+      redactedSummary: "",
+      signatureEnv,
+      signatureHeader: emission.header,
+      signaturePrefix: emission.prefix,
+      error: resolution.error
+    };
   }
   return {
     url,
     secret,
-    redactedSummary: resolution.config?.redactedSummary ?? `url=${url} secret=<redacted>`
+    redactedSummary: resolution.config?.redactedSummary ?? `url=${url} secret=<redacted>`,
+    signatureEnv,
+    signatureHeader: emission.header,
+    signaturePrefix: emission.prefix,
+    ...warning !== void 0 ? { warning } : {}
   };
 }
-function writeRuntimeEnvFile(runtime, url, secret) {
+function shellSingleQuote(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+function writeRuntimeEnvFile(runtime, url, secret, signatureEnv = []) {
   const envPath = path.join(kojeeHomeDir(), ".kojee", `${runtime}.env`);
   const body = [
     `# kojee daemon env for runtime=${runtime} (source this before starting the daemon)`,
-    `export KOJEE_RUNTIME="${runtime}"`,
-    `export KOJEE_WEBHOOK_URL="${url}"`,
-    `export KOJEE_WEBHOOK_SECRET="${secret}"`,
+    `export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`,
+    `export KOJEE_WEBHOOK_URL=${shellSingleQuote(url)}`,
+    `export KOJEE_WEBHOOK_SECRET=${shellSingleQuote(secret)}`,
+    // Signature emission overrides (0.5.3) — only when explicitly configured.
+    ...signatureEnv.map(([k, v]) => `export ${k}=${shellSingleQuote(v)}`),
     ""
   ].join("\n");
   fs.mkdirSync(path.dirname(envPath), { recursive: true, mode: 448 });
@@ -156,7 +184,8 @@ function configureCodex(opts) {
     ...opts.configPath ? { configPath: opts.configPath } : {},
     ...opts.hooksPath ? { hooksPath: opts.hooksPath } : {},
     webhookUrl: url,
-    webhookSecret: secret
+    webhookSecret: secret,
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
   });
   recordRuntime("codex");
   const lines = [];
@@ -164,7 +193,12 @@ function configureCodex(opts) {
   lines.push("Wake mode: webhook-sink + stop-hook peek (Codex has no channel injection).");
   lines.push("");
   lines.push("Wrote [mcp_servers.kojee] to ~/.codex/config.toml:");
-  lines.push(indent(buildCodexMcpServerTable({ webhookUrl: url, webhookSecret: "<redacted>" })));
+  lines.push(indent(buildCodexMcpServerTable({
+    webhookUrl: url,
+    webhookSecret: "<redacted>",
+    ...wh.signatureEnv.length > 0 ? { signatureEnv: wh.signatureEnv } : {}
+  })));
+  if (wh.warning) lines.push(`webhook WARNING: ${wh.warning}`);
   lines.push("");
   lines.push("Wrote the Codex Stop hook (~/.codex/hooks.json; inline TOML form):");
   lines.push(indent(buildCodexStopHookBlock()));
@@ -175,7 +209,7 @@ function configureCodex(opts) {
   lines.push("Next steps (codex):");
   lines.push("  Restart Codex (or start a new `codex` / `codex exec` session) to load the MCP server and hook.");
   lines.push("  Stand up your webhook receiver at KOJEE_WEBHOOK_URL \u2014 contract:");
-  lines.push(indent(buildWebhookReceiverNote()));
+  lines.push(indent(buildWebhookReceiverNote({ header: wh.signatureHeader, prefix: wh.signaturePrefix })));
   lines.push("  Verify: kojee-mcp doctor");
   lines.push("");
   lines.push(CODEX_UNVERIFIED_NOTE);
@@ -191,23 +225,26 @@ function configureWebhookDaemon(runtime, opts) {
   lines.push(`Configured runtime: ${runtime}`);
   lines.push("Wake mode: webhook sink (daemon-consumed). NO MCP-config file, NO hooks written.");
   lines.push("");
+  if (wh.warning) lines.push(`webhook WARNING: ${wh.warning}`);
   if (wh.url) {
-    const envFile = writeRuntimeEnvFile(runtime, wh.url, wh.secret);
+    const envFile = writeRuntimeEnvFile(runtime, wh.url, wh.secret, wh.signatureEnv);
     lines.push("Export these before starting the daemon (also written to a source-able file):");
-    lines.push(`  export KOJEE_RUNTIME="${runtime}"`);
-    lines.push(`  export KOJEE_WEBHOOK_URL="${wh.url}"`);
+    lines.push(`  export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`);
+    lines.push(`  export KOJEE_WEBHOOK_URL=${shellSingleQuote(wh.url)}`);
     lines.push(`  export KOJEE_WEBHOOK_SECRET=<generated; in ${envFile}>`);
+    for (const [k, v] of wh.signatureEnv) lines.push(`  export ${k}=${shellSingleQuote(v)}`);
     lines.push(`  (validated: ${wh.redactedSummary})`);
     lines.push(`  source ${envFile}`);
   } else {
     lines.push("Set the daemon env (no receiver URL supplied yet):");
-    lines.push(`  export KOJEE_RUNTIME="${runtime}"`);
+    lines.push(`  export KOJEE_RUNTIME=${shellSingleQuote(runtime)}`);
     lines.push(`  export KOJEE_WEBHOOK_URL="https://YOUR-RECEIVER.local/kojee"`);
     lines.push(`  export KOJEE_WEBHOOK_SECRET=<generate a hex secret>`);
+    for (const [k, v] of wh.signatureEnv) lines.push(`  export ${k}=${shellSingleQuote(v)}`);
   }
   lines.push("");
   lines.push("Receiver contract:");
-  lines.push(indent(buildWebhookReceiverNote()));
+  lines.push(indent(buildWebhookReceiverNote({ header: wh.signatureHeader, prefix: wh.signaturePrefix })));
   lines.push("");
   lines.push(`Next steps (${runtime}):`);
   lines.push("  Start the daemon with the env above. Verify: kojee-mcp doctor (after the daemon is up).");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kojee-mcp",
-  "version": "0.5.3",
+  "version": "0.5.4",
   "type": "module",
   "main": "dist/index.js",
   "bin": {

package/dist/chunk-F7L25L2J.js

@@ -1,60 +0,0 @@
-// src/tandem/webhook-config.ts
-var WEBHOOK_DEFAULT_TIMEOUT_MS = 5e3;
-var WEBHOOK_DEFAULT_MAX_RETRIES = 4;
-function redactUrlUserinfo(rawUrl, parsed) {
-  if (!parsed.username && !parsed.password) return rawUrl;
-  parsed.username = "";
-  parsed.password = "";
-  return parsed.toString();
-}
-function parsePositiveInt(raw, fallback) {
-  if (raw === void 0) return fallback;
-  const n = Number(raw);
-  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return fallback;
-  return n;
-}
-function resolveWebhookConfig(env = process.env) {
-  const url = (env["KOJEE_WEBHOOK_URL"] ?? "").trim();
-  if (!url) {
-    return { enabled: false, config: null };
-  }
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    return {
-      enabled: false,
-      config: null,
-      error: `KOJEE_WEBHOOK_URL is not a valid URL \u2014 webhook sink DISABLED`
-    };
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    return {
-      enabled: false,
-      config: null,
-      error: `KOJEE_WEBHOOK_URL must be http(s) (got ${parsed.protocol}) \u2014 webhook sink DISABLED`
-    };
-  }
-  const secret = (env["KOJEE_WEBHOOK_SECRET"] ?? "").trim();
-  if (!secret) {
-    return {
-      enabled: false,
-      config: null,
-      error: "KOJEE_WEBHOOK_URL is set but KOJEE_WEBHOOK_SECRET is missing \u2014 webhook sink DISABLED (the proxy NEVER sends unsigned webhooks)"
-    };
-  }
-  const timeoutMs = parsePositiveInt(env["KOJEE_WEBHOOK_TIMEOUT_MS"], WEBHOOK_DEFAULT_TIMEOUT_MS);
-  const maxRetries = parsePositiveInt(env["KOJEE_WEBHOOK_MAX_RETRIES"], WEBHOOK_DEFAULT_MAX_RETRIES);
-  const safeUrl = redactUrlUserinfo(url, parsed);
-  const redactedSummary = `url=${safeUrl} secret=<redacted> timeoutMs=${timeoutMs} maxRetries=${maxRetries}`;
-  return {
-    enabled: true,
-    config: { url, secret, timeoutMs, maxRetries, redactedSummary }
-  };
-}
-
-export {
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  resolveWebhookConfig
-};

package/dist/webhook-config-5TLLX7RA.js

@@ -1,10 +0,0 @@
-import {
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  resolveWebhookConfig
-} from "./chunk-F7L25L2J.js";
-export {
-  WEBHOOK_DEFAULT_MAX_RETRIES,
-  WEBHOOK_DEFAULT_TIMEOUT_MS,
-  resolveWebhookConfig
-};